# Copyright 2022 99cloud
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# flake8: noqa
# fmt: off

from . import base

list_rules = (
    base.Rule(
        name="admin_or_owner",
        check_str=("is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"),
        description="DEPRECATED: This rule will be removed in the Yoga release.            Default rule for most non-Admin APIs.",
    ),
    base.Rule(
        name="system_or_domain_or_project_admin",
        check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)"),
        description="DEPRECATED: This rule will be removed in the Yoga release.            Default rule for admins of cloud, domain or a project.",
    ),
    base.Rule(
        name="context_is_admin",
        check_str=("role:admin"),
        description="Decides what is required for the 'is_admin:True' check to succeed.",
    ),
    base.Rule(
        name="admin_api",
        check_str=("is_admin:True or (role:admin and is_admin_project:True)"),
        description="Default rule for most Admin APIs.",
    ),
    base.Rule(
        name="xena_system_admin_or_project_reader",
        check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"),
        description="NOTE: this purely role-based rule recognizes only project scope",
    ),
    base.Rule(
        name="xena_system_admin_or_project_member",
        check_str=("(role:admin) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
        description="NOTE: this purely role-based rule recognizes only project scope",
    ),
    base.Rule(
        name="volume_extension:volume_type_encryption",
        check_str=("rule:admin_api"),
        description="DEPRECATED: This rule will be removed in the Yoga release.",
    ),
    base.APIRule(
        name="volume:attachment_create",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create attachment.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/attachments"}],
    ),
    base.APIRule(
        name="volume:attachment_update",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Update attachment.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/attachments/{attachment_id}"}],
    ),
    base.APIRule(
        name="volume:attachment_delete",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete attachment.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/attachments/{attachment_id}"}],
    ),
    base.APIRule(
        name="volume:attachment_complete",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Mark a volume attachment process as completed (in-use)",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/attachments/{attachment_id}/action (os-complete)"}],
    ),
    base.APIRule(
        name="volume:multiattach_bootable_volume",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Allow multiattach of bootable volumes.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/attachments"}],
    ),
    base.APIRule(
        name="message:get_all",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List messages.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/messages"}],
    ),
    base.APIRule(
        name="message:get",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show message.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/messages/{message_id}"}],
    ),
    base.APIRule(
        name="message:delete",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete message.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/messages/{message_id}"}],
    ),
    base.APIRule(
        name="clusters:get_all",
        check_str=("rule:admin_api"),
        description="List clusters.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/clusters"}, {"method": "GET", "path": "/clusters/detail"}],
    ),
    base.APIRule(
        name="clusters:get",
        check_str=("rule:admin_api"),
        description="Show cluster.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/clusters/{cluster_id}"}],
    ),
    base.APIRule(
        name="clusters:update",
        check_str=("rule:admin_api"),
        description="Update cluster.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/clusters/{cluster_id}"}],
    ),
    base.APIRule(
        name="workers:cleanup",
        check_str=("rule:admin_api"),
        description="Clean up workers.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/workers/cleanup"}],
    ),
    base.APIRule(
        name="volume:get_snapshot_metadata",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show snapshot's metadata or one specified metadata with a given key.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "GET", "path": "/snapshots/{snapshot_id}/metadata/{key}"}],
    ),
    base.APIRule(
        name="volume:update_snapshot_metadata",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Update snapshot's metadata or one specified metadata with a given key.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "PUT", "path": "/snapshots/{snapshot_id}/metadata/{key}"}],
    ),
    base.APIRule(
        name="volume:delete_snapshot_metadata",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete snapshot's specified metadata with a given key.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}/metadata/{key}"}],
    ),
    base.APIRule(
        name="volume:get_all_snapshots",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List snapshots.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/snapshots"}, {"method": "GET", "path": "/snapshots/detail"}],
    ),
    base.APIRule(
        name="volume_extension:extended_snapshot_attributes",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List or show snapshots with extended attributes.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}"}, {"method": "GET", "path": "/snapshots/detail"}],
    ),
    base.APIRule(
        name="volume:create_snapshot",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create snapshot.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/snapshots"}],
    ),
    base.APIRule(
        name="volume:get_snapshot",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show snapshot.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}"}],
    ),
    base.APIRule(
        name="volume:update_snapshot",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Update snapshot.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/snapshots/{snapshot_id}"}],
    ),
    base.APIRule(
        name="volume:delete_snapshot",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete snapshot.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}"}],
    ),
    base.APIRule(
        name="volume_extension:snapshot_admin_actions:reset_status",
        check_str=("rule:admin_api"),
        description="Reset status of a snapshot.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-reset_status)"}],
    ),
    base.APIRule(
        name="snapshot_extension:snapshot_actions:update_snapshot_status",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Update database fields of snapshot.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (update_snapshot_status)"}],
    ),
    base.APIRule(
        name="volume_extension:snapshot_admin_actions:force_delete",
        check_str=("rule:admin_api"),
        description="Force delete a snapshot.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-force_delete)"}],
    ),
    base.APIRule(
        name="snapshot_extension:list_manageable",
        check_str=("rule:admin_api"),
        description="List (in detail) of snapshots which are available to manage.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/manageable_snapshots"}, {"method": "GET", "path": "/manageable_snapshots/detail"}],
    ),
    base.APIRule(
        name="snapshot_extension:snapshot_manage",
        check_str=("rule:admin_api"),
        description="Manage an existing snapshot.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/manageable_snapshots"}],
    ),
    base.APIRule(
        name="snapshot_extension:snapshot_unmanage",
        check_str=("rule:admin_api"),
        description="Stop managing a snapshot.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-unmanage)"}],
    ),
    base.APIRule(
        name="backup:get_all",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List backups.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/backups"}, {"method": "GET", "path": "/backups/detail"}],
    ),
    base.APIRule(
        name="backup:backup_project_attribute",
        check_str=("rule:admin_api"),
        description="List backups or show backup with project attributes.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/backups/{backup_id}"}, {"method": "GET", "path": "/backups/detail"}],
    ),
    base.APIRule(
        name="backup:create",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create backup.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/backups"}],
    ),
    base.APIRule(
        name="backup:get",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show backup.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/backups/{backup_id}"}],
    ),
    base.APIRule(
        name="backup:update",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Update backup.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/backups/{backup_id}"}],
    ),
    base.APIRule(
        name="backup:delete",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete backup.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/backups/{backup_id}"}],
    ),
    base.APIRule(
        name="backup:restore",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Restore backup.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/backups/{backup_id}/restore"}],
    ),
    base.APIRule(
        name="backup:backup-import",
        check_str=("rule:admin_api"),
        description="Import backup.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/backups/{backup_id}/import_record"}],
    ),
    base.APIRule(
        name="backup:export-import",
        check_str=("rule:admin_api"),
        description="Export backup.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/backups/{backup_id}/export_record"}],
    ),
    base.APIRule(
        name="volume_extension:backup_admin_actions:reset_status",
        check_str=("rule:admin_api"),
        description="Reset status of a backup.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/backups/{backup_id}/action (os-reset_status)"}],
    ),
    base.APIRule(
        name="volume_extension:backup_admin_actions:force_delete",
        check_str=("rule:admin_api"),
        description="Force delete a backup.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/backups/{backup_id}/action (os-force_delete)"}],
    ),
    base.APIRule(
        name="group:get_all",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List groups.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/groups"}, {"method": "GET", "path": "/groups/detail"}],
    ),
    base.APIRule(
        name="group:create",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create group.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/groups"}],
    ),
    base.APIRule(
        name="group:get",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show group.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/groups/{group_id}"}],
    ),
    base.APIRule(
        name="group:update",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Update group.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/groups/{group_id}"}],
    ),
    base.APIRule(
        name="group:group_project_attribute",
        check_str=("rule:admin_api"),
        description="List groups or show group with project attributes.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/groups/{group_id}"}, {"method": "GET", "path": "/groups/detail"}],
    ),
    base.APIRule(
        name="group:group_types:create",
        check_str=("rule:admin_api"),
        description="Create a group type.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/group_types/"}],
    ),
    base.APIRule(
        name="group:group_types:update",
        check_str=("rule:admin_api"),
        description="Update a group type.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/group_types/{group_type_id}"}],
    ),
    base.APIRule(
        name="group:group_types:delete",
        check_str=("rule:admin_api"),
        description="Delete a group type.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/group_types/{group_type_id}"}],
    ),
    base.APIRule(
        name="group:access_group_types_specs",
        check_str=("rule:admin_api"),
        description="Show group type with type specs attributes.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/group_types/{group_type_id}"}],
    ),
    base.APIRule(
        name="group:group_types_specs:get",
        check_str=("rule:admin_api"),
        description="Show a group type spec.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}],
    ),
    base.APIRule(
        name="group:group_types_specs:get_all",
        check_str=("rule:admin_api"),
        description="List group type specs.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/group_types/{group_type_id}/group_specs"}],
    ),
    base.APIRule(
        name="group:group_types_specs:create",
        check_str=("rule:admin_api"),
        description="Create a group type spec.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/group_types/{group_type_id}/group_specs"}],
    ),
    base.APIRule(
        name="group:group_types_specs:update",
        check_str=("rule:admin_api"),
        description="Update a group type spec.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}],
    ),
    base.APIRule(
        name="group:group_types_specs:delete",
        check_str=("rule:admin_api"),
        description="Delete a group type spec.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}],
    ),
    base.APIRule(
        name="group:get_all_group_snapshots",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List group snapshots.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/group_snapshots"}, {"method": "GET", "path": "/group_snapshots/detail"}],
    ),
    base.APIRule(
        name="group:create_group_snapshot",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create group snapshot.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/group_snapshots"}],
    ),
    base.APIRule(
        name="group:get_group_snapshot",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show group snapshot.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/group_snapshots/{group_snapshot_id}"}],
    ),
    base.APIRule(
        name="group:delete_group_snapshot",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete group snapshot.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/group_snapshots/{group_snapshot_id}"}],
    ),
    base.APIRule(
        name="group:update_group_snapshot",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Update group snapshot.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/group_snapshots/{group_snapshot_id}"}],
    ),
    base.APIRule(
        name="group:group_snapshot_project_attribute",
        check_str=("rule:admin_api"),
        description="List group snapshots or show group snapshot with project attributes.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/group_snapshots/{group_snapshot_id}"}, {"method": "GET", "path": "/group_snapshots/detail"}],
    ),
    base.APIRule(
        name="group:reset_group_snapshot_status",
        check_str=("rule:admin_api"),
        description="Reset status of group snapshot.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/group_snapshots/{g_snapshot_id}/action (reset_status)"}],
    ),
    base.APIRule(
        name="group:delete",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete group.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/groups/{group_id}/action (delete)"}],
    ),
    base.APIRule(
        name="group:reset_status",
        check_str=("rule:admin_api"),
        description="Reset status of group.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/groups/{group_id}/action (reset_status)"}],
    ),
    base.APIRule(
        name="group:enable_replication",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Enable replication.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/groups/{group_id}/action (enable_replication)"}],
    ),
    base.APIRule(
        name="group:disable_replication",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Disable replication.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/groups/{group_id}/action (disable_replication)"}],
    ),
    base.APIRule(
        name="group:failover_replication",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Fail over replication.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/groups/{group_id}/action (failover_replication)"}],
    ),
    base.APIRule(
        name="group:list_replication_targets",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="List failover replication.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/groups/{group_id}/action (list_replication_targets)"}],
    ),
    base.APIRule(
        name="volume_extension:qos_specs_manage:get_all",
        check_str=("rule:admin_api"),
        description="List qos specs or list all associations.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/qos-specs"}, {"method": "GET", "path": "/qos-specs/{qos_id}/associations"}],
    ),
    base.APIRule(
        name="volume_extension:qos_specs_manage:get",
        check_str=("rule:admin_api"),
        description="Show qos specs.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/qos-specs/{qos_id}"}],
    ),
    base.APIRule(
        name="volume_extension:qos_specs_manage:create",
        check_str=("rule:admin_api"),
        description="Create qos specs.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/qos-specs"}],
    ),
    base.APIRule(
        name="volume_extension:qos_specs_manage:update",
        check_str=("rule:admin_api"),
        description="Update qos specs (including updating association).",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/qos-specs/{qos_id}"}, {"method": "GET", "path": "/qos-specs/{qos_id}/disassociate_all"}, {"method": "GET", "path": "/qos-specs/{qos_id}/associate"}, {"method": "GET", "path": "/qos-specs/{qos_id}/disassociate"}],
    ),
    base.APIRule(
        name="volume_extension:qos_specs_manage:delete",
        check_str=("rule:admin_api"),
        description="delete qos specs or unset one specified qos key.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/qos-specs/{qos_id}"}, {"method": "PUT", "path": "/qos-specs/{qos_id}/delete_keys"}],
    ),
    base.APIRule(
        name="volume_extension:quota_classes:get",
        check_str=("rule:admin_api"),
        description="Show project quota class.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/os-quota-class-sets/{project_id}"}],
    ),
    base.APIRule(
        name="volume_extension:quota_classes:update",
        check_str=("rule:admin_api"),
        description="Update project quota class.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/os-quota-class-sets/{project_id}"}],
    ),
    base.APIRule(
        name="volume_extension:quotas:show",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show project quota (including usage and default).",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/os-quota-sets/{project_id}"}, {"method": "GET", "path": "/os-quota-sets/{project_id}/default"}, {"method": "GET", "path": "/os-quota-sets/{project_id}?usage=True"}],
    ),
    base.APIRule(
        name="volume_extension:quotas:update",
        check_str=("rule:admin_api"),
        description="Update project quota.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/os-quota-sets/{project_id}"}],
    ),
    base.APIRule(
        name="volume_extension:quotas:delete",
        check_str=("rule:admin_api"),
        description="Delete project quota.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/os-quota-sets/{project_id}"}],
    ),
    base.APIRule(
        name="volume_extension:capabilities",
        check_str=("rule:admin_api"),
        description="Show backend capabilities.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/capabilities/{host_name}"}],
    ),
    base.APIRule(
        name="volume_extension:services:index",
        check_str=("rule:admin_api"),
        description="List all services.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/os-services"}],
    ),
    base.APIRule(
        name="volume_extension:services:update",
        check_str=("rule:admin_api"),
        description="Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/os-services/{action}"}],
    ),
    base.APIRule(
        name="volume:freeze_host",
        check_str=("rule:admin_api"),
        description="Freeze a backend host.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/os-services/freeze"}],
    ),
    base.APIRule(
        name="volume:thaw_host",
        check_str=("rule:admin_api"),
        description="Thaw a backend host.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/os-services/thaw"}],
    ),
    base.APIRule(
        name="volume:failover_host",
        check_str=("rule:admin_api"),
        description="Failover a backend host.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/os-services/failover_host"}],
    ),
    base.APIRule(
        name="scheduler_extension:scheduler_stats:get_pools",
        check_str=("rule:admin_api"),
        description="List all backend pools.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/scheduler-stats/get_pools"}],
    ),
    base.APIRule(
        name="volume_extension:hosts",
        check_str=("rule:admin_api"),
        description="List, update or show hosts for a project.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/os-hosts"}, {"method": "PUT", "path": "/os-hosts/{host_name}"}, {"method": "GET", "path": "/os-hosts/{host_id}"}],
    ),
    base.APIRule(
        name="limits_extension:used_limits",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show limits with used limit attributes.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/limits"}],
    ),
    base.APIRule(
        name="volume_extension:list_manageable",
        check_str=("rule:admin_api"),
        description="List (in detail) of volumes which are available to manage.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/manageable_volumes"}, {"method": "GET", "path": "/manageable_volumes/detail"}],
    ),
    base.APIRule(
        name="volume_extension:volume_manage",
        check_str=("rule:admin_api"),
        description="Manage existing volumes.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/manageable_volumes"}],
    ),
    base.APIRule(
        name="volume_extension:volume_unmanage",
        check_str=("rule:admin_api"),
        description="Stop managing a volume.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-unmanage)"}],
    ),
    base.APIRule(
        name="volume_extension:type_create",
        check_str=("rule:admin_api"),
        description="Create volume type.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/types"}],
    ),
    base.APIRule(
        name="volume_extension:type_update",
        check_str=("rule:admin_api"),
        description="Update volume type.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/types"}],
    ),
    base.APIRule(
        name="volume_extension:type_delete",
        check_str=("rule:admin_api"),
        description="Delete volume type.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/types"}],
    ),
    base.APIRule(
        name="volume_extension:type_get",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Get one specific volume type.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types/{type_id}"}],
    ),
    base.APIRule(
        name="volume_extension:type_get_all",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List volume types.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types/"}],
    ),
    base.APIRule(
        name="volume_extension:access_types_extra_specs",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Include the volume type's extra_specs attribute in the volume type list or show requests.  The ability to make these calls is governed by other policies.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types/{type_id}"}, {"method": "GET", "path": "/types"}],
    ),
    base.APIRule(
        name="volume_extension:access_types_qos_specs_id",
        check_str=("rule:admin_api"),
        description="Include the volume type's QoS specifications ID attribute in the volume type list or show requests.  The ability to make these calls is governed by other policies.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types/{type_id}"}, {"method": "GET", "path": "/types"}],
    ),
    base.APIRule(
        name="volume_extension:volume_type_encryption:create",
        check_str=("rule:admin_api"),
        description="Create volume type encryption.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/types/{type_id}/encryption"}],
    ),
    base.APIRule(
        name="volume_extension:volume_type_encryption:get",
        check_str=("rule:admin_api"),
        description="Show a volume type's encryption type, show an encryption specs item.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types/{type_id}/encryption"}, {"method": "GET", "path": "/types/{type_id}/encryption/{key}"}],
    ),
    base.APIRule(
        name="volume_extension:volume_type_encryption:update",
        check_str=("rule:admin_api"),
        description="Update volume type encryption.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/types/{type_id}/encryption/{encryption_id}"}],
    ),
    base.APIRule(
        name="volume_extension:volume_type_encryption:delete",
        check_str=("rule:admin_api"),
        description="Delete volume type encryption.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/types/{type_id}/encryption/{encryption_id}"}],
    ),
    base.APIRule(
        name="volume_extension:volume_type_access",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Adds the boolean field 'os-volume-type-access:is_public' to the responses for these API calls.  The ability to make these calls is governed by other policies.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types"}, {"method": "GET", "path": "/types/{type_id}"}, {"method": "POST", "path": "/types"}],
    ),
    base.APIRule(
        name="volume_extension:volume_type_access:addProjectAccess",
        check_str=("rule:admin_api"),
        description="Add volume type access for project.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/types/{type_id}/action (addProjectAccess)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_type_access:removeProjectAccess",
        check_str=("rule:admin_api"),
        description="Remove volume type access for project.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/types/{type_id}/action (removeProjectAccess)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_type_access:get_all_for_type",
        check_str=("rule:admin_api"),
        description="List private volume type access detail, that is, list the projects that have access to this volume type.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types/{type_id}/os-volume-type-access"}],
    ),
    base.APIRule(
        name="volume:extend",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Extend a volume.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-extend)"}],
    ),
    base.APIRule(
        name="volume:extend_attached_volume",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Extend a attached volume.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-extend)"}],
    ),
    base.APIRule(
        name="volume:revert_to_snapshot",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Revert a volume to a snapshot.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (revert)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_admin_actions:reset_status",
        check_str=("rule:admin_api"),
        description="Reset status of a volume.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reset_status)"}],
    ),
    base.APIRule(
        name="volume:retype",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Retype a volume.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-retype)"}],
    ),
    base.APIRule(
        name="volume:update_readonly_flag",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Update a volume's readonly flag.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_admin_actions:force_delete",
        check_str=("rule:admin_api"),
        description="Force delete a volume.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-force_delete)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:upload_public",
        check_str=("rule:admin_api"),
        description="Upload a volume to image with public visibility.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:upload_image",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Upload a volume to image.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_admin_actions:force_detach",
        check_str=("rule:admin_api"),
        description="Force detach a volume.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-force_detach)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_admin_actions:migrate_volume",
        check_str=("rule:admin_api"),
        description="migrate a volume to a specified host.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_admin_actions:migrate_volume_completion",
        check_str=("rule:admin_api"),
        description="Complete a volume migration.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume_completion)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:initialize_connection",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Initialize volume attachment.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-initialize_connection)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:terminate_connection",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Terminate volume attachment.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-terminate_connection)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:roll_detaching",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Roll back volume status to 'in-use'.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-roll_detaching)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:reserve",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Mark volume as reserved.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reserve)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:unreserve",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Unmark volume as reserved.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-unreserve)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:begin_detaching",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Begin detach volumes.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-begin_detaching)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:attach",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Add attachment metadata.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-attach)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_actions:detach",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Clear attachment metadata.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-detach)"}],
    ),
    base.APIRule(
        name="volume:reimage",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Reimage a volume in 'available' or 'error' status.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reimage)"}],
    ),
    base.APIRule(
        name="volume:reimage_reserved",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Reimage a volume in 'reserved' status.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reimage)"}],
    ),
    base.APIRule(
        name="volume:get_all_transfers",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List volume transfer.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/os-volume-transfer"}, {"method": "GET", "path": "/os-volume-transfer/detail"}, {"method": "GET", "path": "/volume_transfers"}, {"method": "GET", "path": "/volume-transfers/detail"}],
    ),
    base.APIRule(
        name="volume:create_transfer",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create a volume transfer.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/os-volume-transfer"}, {"method": "POST", "path": "/volume_transfers"}],
    ),
    base.APIRule(
        name="volume:get_transfer",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show one specified volume transfer.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/os-volume-transfer/{transfer_id}"}, {"method": "GET", "path": "/volume-transfers/{transfer_id}"}],
    ),
    base.APIRule(
        name="volume:accept_transfer",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Accept a volume transfer.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/os-volume-transfer/{transfer_id}/accept"}, {"method": "POST", "path": "/volume-transfers/{transfer_id}/accept"}],
    ),
    base.APIRule(
        name="volume:delete_transfer",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete volume transfer.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/os-volume-transfer/{transfer_id}"}, {"method": "DELETE", "path": "/volume-transfers/{transfer_id}"}],
    ),
    base.APIRule(
        name="volume:get_volume_metadata",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show volume's metadata or one specified metadata with a given key.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/volumes/{volume_id}/metadata"}, {"method": "GET", "path": "/volumes/{volume_id}/metadata/{key}"}, {"method": "POST", "path": "/volumes/{volume_id}/action  (os-show_image_metadata)"}],
    ),
    base.APIRule(
        name="volume:create_volume_metadata",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create volume metadata.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/metadata"}],
    ),
    base.APIRule(
        name="volume:update_volume_metadata",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Replace a volume's metadata dictionary or update a single metadatum with a given key.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/volumes/{volume_id}/metadata"}, {"method": "PUT", "path": "/volumes/{volume_id}/metadata/{key}"}],
    ),
    base.APIRule(
        name="volume:delete_volume_metadata",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete a volume's metadatum with the given key.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/volumes/{volume_id}/metadata/{key}"}],
    ),
    base.APIRule(
        name="volume_extension:volume_image_metadata:show",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Include a volume's image metadata in volume detail responses.  The ability to make these calls is governed by other policies.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/volumes/detail"}, {"method": "GET", "path": "/volumes/{volume_id}"}],
    ),
    base.APIRule(
        name="volume_extension:volume_image_metadata:set",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Set image metadata for a volume",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-set_image_metadata)"}],
    ),
    base.APIRule(
        name="volume_extension:volume_image_metadata:remove",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Remove specific image metadata from a volume",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-unset_image_metadata)"}],
    ),
    base.APIRule(
        name="volume:update_volume_admin_metadata",
        check_str=("rule:admin_api"),
        description="Update volume admin metadata. This permission is required to complete these API calls, though the ability to make these calls is governed by other policies.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"}, {"method": "POST", "path": "/volumes/{volume_id}/action (os-attach)"}],
    ),
    base.APIRule(
        name="volume_extension:types_extra_specs:index",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List type extra specs.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types/{type_id}/extra_specs"}],
    ),
    base.APIRule(
        name="volume_extension:types_extra_specs:create",
        check_str=("rule:admin_api"),
        description="Create type extra specs.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/types/{type_id}/extra_specs"}],
    ),
    base.APIRule(
        name="volume_extension:types_extra_specs:show",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show one specified type extra specs.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}],
    ),
    base.APIRule(
        name="volume_extension:types_extra_specs:read_sensitive",
        check_str=("rule:admin_api"),
        description="Include extra_specs fields that may reveal sensitive information about the deployment that should not be exposed to end users in various volume-type responses that show extra_specs. The ability to make these calls is governed by other policies.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/types"}, {"method": "GET", "path": "/types/{type_id}"}, {"method": "GET", "path": "/types/{type_id}/extra_specs"}, {"method": "GET", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}],
    ),
    base.APIRule(
        name="volume_extension:types_extra_specs:update",
        check_str=("rule:admin_api"),
        description="Update type extra specs.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}],
    ),
    base.APIRule(
        name="volume_extension:types_extra_specs:delete",
        check_str=("rule:admin_api"),
        description="Delete type extra specs.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}],
    ),
    base.APIRule(
        name="volume:create",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create volume.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes"}],
    ),
    base.APIRule(
        name="volume:create_from_image",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create volume from image.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes"}],
    ),
    base.APIRule(
        name="volume:get",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show volume.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/volumes/{volume_id}"}],
    ),
    base.APIRule(
        name="volume:get_all",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List volumes or get summary of volumes.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/volumes"}, {"method": "GET", "path": "/volumes/detail"}, {"method": "GET", "path": "/volumes/summary"}],
    ),
    base.APIRule(
        name="volume:update",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Update volume or update a volume's bootable status.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/volumes"}, {"method": "POST", "path": "/volumes/{volume_id}/action (os-set_bootable)"}],
    ),
    base.APIRule(
        name="volume:delete",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Delete volume.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/volumes/{volume_id}"}],
    ),
    base.APIRule(
        name="volume:force_delete",
        check_str=("rule:admin_api"),
        description="Force Delete a volume.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/volumes/{volume_id}"}],
    ),
    base.APIRule(
        name="volume_extension:volume_host_attribute",
        check_str=("rule:admin_api"),
        description="List or show volume with host attribute.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/volumes/{volume_id}"}, {"method": "GET", "path": "/volumes/detail"}],
    ),
    base.APIRule(
        name="volume_extension:volume_tenant_attribute",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="List or show volume with tenant attribute.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/volumes/{volume_id}"}, {"method": "GET", "path": "/volumes/detail"}],
    ),
    base.APIRule(
        name="volume_extension:volume_mig_status_attribute",
        check_str=("rule:admin_api"),
        description="List or show volume with migration status attribute.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/volumes/{volume_id}"}, {"method": "GET", "path": "/volumes/detail"}],
    ),
    base.APIRule(
        name="volume_extension:volume_encryption_metadata",
        check_str=("rule:xena_system_admin_or_project_reader"),
        description="Show volume's encryption metadata.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/volumes/{volume_id}/encryption"}, {"method": "GET", "path": "/volumes/{volume_id}/encryption/{encryption_key}"}],
    ),
    base.APIRule(
        name="volume:multiattach",
        check_str=("rule:xena_system_admin_or_project_member"),
        description="Create multiattach capable volume.",
        scope_types=["project"],
        operations=[{"method": "POST", "path": "/volumes"}],
    ),
    base.APIRule(
        name="volume_extension:default_set_or_update",
        check_str=("rule:admin_api"),
        description="Set or update default volume type.",
        scope_types=["project"],
        operations=[{"method": "PUT", "path": "/default-types"}],
    ),
    base.APIRule(
        name="volume_extension:default_get",
        check_str=("rule:admin_api"),
        description="Get default types.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/default-types/{project-id}"}],
    ),
    base.APIRule(
        name="volume_extension:default_get_all",
        check_str=("rule:admin_api"),
        description="Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.",
        scope_types=["project"],
        operations=[{"method": "GET", "path": "/default-types/"}],
    ),
    base.APIRule(
        name="volume_extension:default_unset",
        check_str=("rule:admin_api"),
        description="Unset default type.",
        scope_types=["project"],
        operations=[{"method": "DELETE", "path": "/default-types/{project-id}"}],
    ),
)

__all__ = ("list_rules",)
